Phishing: Watch out for this new version of trojan malware that spreads through malicious Word documents

A new version of Ursnif is being pushed via malicious Word documents with the aim of stealing bank information and other credentials.

Malware alert: Think twice before you open that Word doc

A new variant of trojan malware popular with cyber criminals is spreading via malicious Word documents with the aim of stealing bank details and other useful personal information.

Special feature

Special report: A winning strategy for cybersecurity (free PDF)

This ebook, based on the latest ZDNet/TechRepublic special feature, offers a detailed look at how to build risk management policies to protect your critical digital assets.

Read More

The Ursnif trojan targets Windows machines and has existed in one form or another since at least 2007 when its code first emerged in the Gozi banking trojan.

Ursnif has become incredibly popular with cyber criminals in recent years, due to the source code being leaked online, enabling attackers to take advantage of it for free.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

Several different variants of the malware have emerged since the code was leaked, as attackers take it and add their own custom capabilities for stealing banking details and other online account credentials.

Now researchers at cybersecurity firm Fortinet have identified a new version of Ursnif in the wild that is spreading via phishing emails containing weaponised Word documents. These infected lures that are named with a "info_[date].doc" format and claim that the document has been created in a previous version of Word, requiring the user to enable macros to see it.

Enabling macros by clicking the 'Enable Content' command unleashes malicious VBA code that begins the process of dropping a version of Ursnif malware that researchers say was only recently compiled on July 25th, indicating how recently this latest incarnation has been developed.

Once installed on a system the malware runs a number of "iexplorer.exe" processes that repeatedly appear and disappear.

This is Ursnif creating the conditions needed to connect to its command and control server. In what appears to be an effort to make the activity less suspicious, the host list for the C&C server includes references to Microsoft and security companies.

Researchers warn that the campaign is still active and have provided a write-up of the Indicators of Compromise in their analysis of the malware.

The attack techniques deployed by this latest Ursnif campaign might appear basic, but even simple phishing email attacks can still provide hackers with means of entering networks or deploying malware.